"Access your critical Dell SecureWorks security information on the go."
"With the Dell SecureWorks Mobile App you can:
* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"
The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.
Impact
An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.
Timeline
October 4, 2015 - Notified Dell SecureWorks via
security (at) secureworks (dot) com [email concealed] & security (at) dell (dot) com [email concealed]
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability
--
http://www.info-sec.ca/advisories/Dell-SecureWorks.html
Overview
"Access your critical Dell SecureWorks security information on the go."
"With the Dell SecureWorks Mobile App you can:
* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"
(https://itunes.apple.com/us/app/dell-secureworks/id533072046)
Issue
The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.
Impact
An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.
Timeline
October 4, 2015 - Notified Dell SecureWorks via
security (at) secureworks (dot) com [email concealed] & security (at) dell (dot) com [email concealed]
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability
Solution
Upgrade to version 2.1 or later
[ reply ]